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© An on-the-fly verification system, which employs 
statically-available information to reduce the size of 
the state space required to verify liveness and safety 
properties of a target system consisting of asyn- 
chronous communicating processes, 

generates a verifier from a description of the 
target system and a specification of the property to 
be verified. The verifier models the target system as 
a set of finite state machines, constructs a state 
space containing a graph of nodes representing 
states of the target system and transitions between 
the states, and uses the state space to verify the 
property. The size of the state space is reduced by 
using information from the description and the speci- 
fication to divide transitions from a node into per- 
process bundles and to determine which bundles of 
transitions must be included in the state space and 
which may be left out of the state space. The state 
space reduction technique never increases the size 
of the state space and often reduces it by orders of 
magnitude. 
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Background of the Invention 
Fl Id f the Invention 

The invention concerns techniques for verifying 
systems with concurrently-operating components 
and more specifically concerns verification of safe- 
ty and liveness properties in such systems. 

Description of the Prior Art 

A feature of modem life is the large number of 
complex systems which must operate correctly. At 
one end of the spectrum, there are complex in- 
tegrated circuits. These circuits can now implement 
whole computer systems. At the other end of the 
spectrum, there are world-wide communications 
networks. In between are control systems for medi- 
cal devices, aircraft or power plants. As complex as 
these systems are, users expect them to work 
perfectly, and indeed, they do work well enough 
that a failure is news. 

One way in which engineers have tried to deal 
with complex systems has been using verification 
tools to verify that the design for the complex 
system is correct. One large class of such tools 
works by modelling the complex system as a set of 
concurrently-operating components and verifying 
the model to make sure that the system exhibits 
properties such as safety and liveness. In the 
model has a safety property, the model will not do 
anything unreasonable; if it has a liveness property, 
it will eventually do something reasonable (for ex- 
ample, it will not hang). 

An approach taken in many verification tools is 
to model the system as a bounded system of finite 
state components. A finite state component is one 
which can be modelled with a set of a finite num- 
ber of states and state transitions. The model is 
verified by employing a computer program to ana- 
lyze the reachable global states and their transi- 
tions to determine that there are no states or transi- 
tions which negate the desired property. The mod- 
elling may be done "on the fly", that is, a portion of 
a graph representing the states of the finite state 
components and their state transitions is generated 
dynamically while the states and transitions in the 
portion are analyzed as required to verify the prop- 
erty. An example of such an "on the fly" verifica- 
tion tool is SPIN, described in G.J. Holzmann, 
Design and Validation of Computer Protocols, 
Prentice-Hall, 1992. 

"On the fly" verification tools such as SPIN are 
useful but are limit d by th "stat space prob- 
lem." The state space of a model consists of the 
number of global states the model may hav . With 
a model of any complexity, the state space be- 
comes so larg that even the largest computer 



systems do not have enough storage capacity and 
speed to make verification practical. In many 
cases, the verification could be done without 
searching many of the states in the state spac . 
5 Eliminating such redundant states from the state 
space is termed reduction of the state space. 

Until now, there has been no efficient tech- 
nique for reducing the state space. Those active in 
the verification area have attempted a variety of 
70 dynamic reduction methods. These methods at- 
tempt to compute mostly at runtime (i.e., during the 
search) which parts of the reachability analysis are 
redundant and can be skipped. Unavoidably, the 
additional computations also consume resources: 
75 they require memory to store additional data struc- 
tures, and they require CPU time to discover the 
redundancies. This overhead reduces the amount 
of improvement that can be achieved. In some 
cases, the costs of improvement outweigh the 
20 gains, which means that the unoptimized full 
search can sometimes outperform the •optimized' 
reduced search. 

What is needed, and what is provided by the 
techniques disclosed herein is a method for reduc- 
es ing state space which depends on static informa- 
tion, that is, information which is available prior to 
the search. 

Summary of the Invention 

30 

Reductions in state space are achieved by the 
techniques disclosed herein by finding transitions 
which may be included in the state space to the 
exclusion of all others while still provably permitting 

35 validation of liveness and safety properties. Since 
the other transitions are not included, neither are 
the states represented by their target nodes or any 
transitions which have their sources in those states, 
leading to an enormous reduction in the size of the 

40 search space. 

The transitions which may be included in the 
state space while excluding others may be de- 
scribed as follows: Consider the set T of transitions 
of the program. For each program state S, Split 

45 that set into three disjoint subsets: 

• Dis(S) (from Disabled, these are the transi- 
tions that cannot be executed from S). 

• Sel(S) (from Selected, these are the enabled 
transitions that are selected by the reduction 

so algorithm). 

• iQn(S) (from Ignored, these transitions are 
enabled from S, but are not selected). 

It is sufficient for the preservation of liv ness and 
safety properties if the depth-first s arch xplores 
55 only the transitions in set Sel(S), provided that the 
following three conditions are satisfied. 

C1: No execution sequence starting from S 
can exist in which a transition that 
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— is outside set Sel(S) and that 

— is dependent on at least one tran- 
sition in Sel(S) 

becomes nabled without at least one 
transition from set Sel(S) having being 
executed first in that sequence. 
C2: If Ign(S) is non-empty then no transition 

in Sel(S) can close a directed cycle. 
C3: The execution of none of the transitions 
in set Sel(S) touches an object that is 
visible to the property being checked. 
When a reduced state space is constructed by 
selecting transitions which fulfill the above con- 
ditions CI, C2, and C3, the reduced state space is 
never larger than a state space constructed by 
present methods and is often orders of magnitude 
smaller. 

The foregoing and other objects and advan- ' 
tages of the invention will be apparent to one of 
ordinary skill in the art who peruses the following 
Drawing and Detailed Description, wherein: 

Brief Description of the Drawing 

FIG. 1 is an overview of a verification system 
incorporating the invention; 
FIG. 2 is a detail of a node in the state space 
generated by the verification system; 
FIG. 3 is a detail of tables used in the verifica- 
tion system; 

FIG. 4 is an example system which computes 
prime numbers according to the method of the 
sieve of Eratosthenes; 

FIG. 5 is a PROMELA description of the system 
of FIG. 4; 

FIG. 6 shows the reduction in state space 

achievable in the system of FIG. 4 by using the 

technniques of the invention; 

FIG. 7 shows how the state reduction technique 

reduces transitions from a node; 

FIG. 8 is a detailed view of a portion of the state 

space of FIG. 6; 

FIG. 9 is an initialization algorithm for state 
reduction; 

FIG. 10 is an algorithim for an expansion step; 
FIG. 11 is an algorithm which implements the 
expansion step for the transitions in the Buechi 
automaton; 

FIG. 12 is an extension of the algorithm for 
detecting cycles; and 

FIG. 13 is an algorithm for performing a reduced 
expansion. 

Th r f rence numbers employed in the Drawing 
and the Detailed Description have thr or mor 
digits. The two least significant digits are a number 
within a figure; the remaining digits are the figure 
number. Thus, th lement with the reference num- 
ber "305" is first shown in FIG. 3. 



Detail d Description 

The following Detailed Description first 
presents an ov rview of the invention, then 
5 pres nts an example of its use, thereupon gives a 
formal description of the invention, and finally 
presents a generalization of the invention. 

Overview of a Verification System Incorporat- 
70 Ing the Invention: FIGs. 1-3,7 

FIG. 1 presents an overview of a verification 
system 101 which incorporates the invention. Ver- 
ification system 101 takes as its inputs a system 

75 description 103 and a description of a required 
property 107 of the system of description 103. 
Description 103 describes the system being veri- 
fied as a set of concurrently-operating asynchro- 
nous processes 105(0..n). The processes commu- 

20 nicate with each other by means of synchronous 
and asynchronous message passing. In a preferred 
embodiment, system description 103 is written in 
PROMELA, described in detail in the Holzmann 
reference. Required property 107 and system de- 

25 scription 103 are input to verifier generator 109, 
which then generates a verifier 111. Verifier gener- 
ator 109 in the preferred embodiment is the SPIN 
model checker, which is described in detail in the 
Holzmann reference. The output of verifier gener- 

30 ator 109 is a verifier program 111. When verifier 
program 111 is executed , it verifies whether the 
system described in system description 103 has 
required property 107 by performing a reachability 
analysis on states of the system of description 1 03. 

35 In the course of performing the reachability analy- 
sis, verifier 111 constructs reduced state space 119 
which contains state graph 125. State graph 125 
consists of nodes 121 specifying states of the 
system described in system description 103 and 

40 edges 123 describing transitions between the 
states of the nodes 121. The result of the verifica- 
tion, indicating whether the system of description 
103 has the required property 107 is output at 
result 117. 

45 FIG. 2 shows a detail of a node 121. Each 
node 121 has a global state portion 201 and a per- 
process state portion 203 for each process speci- 
fied in system description 103. The global state 
portion includes the state of any global variables 

so 205, i.e., variables which can be set and/or read by 
more than one process and the state of any global 
queues 207, i.e., queues which are shared between 
processes. Each per-process state portion 203 for 
a process 105(n) includes the state of any variables 

55 209(n) local to the proc ss, the state of the pro- 
cess's program counter 210(n), and the state of 
any queu s 211(n) local to th process. As can b 
seen from the amount of information in a node 121, 
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stat graph 1 25 may have an enormous number of 
nodes. For example, if the system of system de- 
scription 103 has 3 processes and no global state, 
each process can hav ten different combinations 
of values in per-process state 203, and the com- 
binations may occur in any order, then the potential 
number of nodes in the system is (10 * 10 * 10) or 
1000 nodes, and of course most systems will have 
more processes and/or more states. 

An important difference between system 101 
and prior-art verification systems is that system 
101 is able to use information obtained from sys- 
tem description 103 and the required property 107 
to reduce the size of state space 119. In the 
preferred embodiment, the information is associ- 
ated with state transitions. Verifier 111 includes a 
transition table 113 which is compiled from system 
description 103 and which lists all state transitions 
123 which the system of system description 103 is 
capable of. Transition table 113 is shown in detail 
at FIG. 3. There is an entry TTE 203 for each state 
which is indexed by a transition number 201 . Each 
entry describes an enabling condition (EC) 205 for 
the transition, for example a value of a variable or a 
state of a queue, and an action 207 to be taken on 
the transition. 

Each entry in transition table 113 has a cor- 
responding entry in tag table 115 which indicates 
[ the significance of the transition for state reduction. 

Each transition 123 belongs to one of three 
classes: 

• the transition is unconditionally safe; 

• the transition is conditionally safe; and 

• the transition is unsafe. 

It should be pointed out here that the use of safe 
in this context has nothing to do with the safety 
property of a system. How the safeness of a transi- 
tion is determined from system description 103 will 
be described in more detail later. 

The transitions in a node 121 are further bun- 
dled according to the processes 105 whose state is 
involved in the transitions. In a prefered embodi- 
ment, all of the transitions which change state 
, belonging to a given process are bundled together. 
If the values in a node 121 permit one or more 
bundles of transitions 123 in which all of the the 
transitions are unconditionally safe, only the transi- 
tions in one of the bundles need be taken, and only 
the nodes 121 reached by those transitions need 
be included in reduced state space 119. If is a 
bundle in which all transitions are conditionally 
safe, the conditionally safe transitions can be treat- 
ed as saf at run time. This is done by making run- 
time ch cks for the conditions of th safe transi- 
tions. If all checks are satisified, the bundle of safe 
transitions can be treated in the same fashion as a 
bundle of unconditionally saf transitions. If there 
are no bundles of transitions which include only 



unconditionally safe transitions or conditionally safe 
transitions whose conditions are satisfied by the 
current state, then all of the transitions and their 
target nodes must b incorporated into graph 125. 

5 All of the above is shown in FIG. 7. At 701 in 

that figure, there is a node 121(a) which has two 
bundles 709(a) and 709(b), each of which includes 
nothing but unconditionally safe transitions 703, a 
third bundle 71 1 , which contains conditionally safe 

to transitions 705, and a fourth bundle consisting of a 
single unsafe transition 707. When the state reduc- 
tion algorithm is applied, node 121(a) 1 remains with 
only bundle 709(a) of unconditionally safe transi- 
tions 703. Similarly, there is shown at 704 a node 

75 121(b) which has a bundle 713 of two conditionally 
safe transitions 705(a) and 705(b) and another bun- 
dle 715 of transitions 707 which are unsafe. If the 
conditions 717(a) and 717(b) applying to transitions 
705(a) and 705(b) are satisfied when the state 

20 reduction algorithm is applied, node 121(b) 1 has 
only the transitions in bundle 713. Node 121(c), 
finally, has only bundles 721 and 723 which include 
unsafe transitions 707, and consequently, no state 
reduction is possible. 

25 In a preferred embodiment, the safeness class 
of a transition is indicated in tag table 115. As 
shown in FIG. 3, there is an entry 209 in tag table 
115 corresponding to each transition in transition 
table 113. Tag 211, the contents of the entry, 

30 indicates whether the corresponding transition is 
unconditionally safe, conditionally safe, or unsafe. 
In the case of a conditionally safe transition, tag 
211 is a code which indicates what kind of run-time 
check must be made. In operation, verifier 111 

35 checks tag table 115 for each transition and puts 
the reduced number of transitions 123 and nodes 
121 permitted by the safeness properties of the 
transitions in state graph 125. 

40 Example of State Reduction using System 101: 
FIGS. 4-6 

A set of 6 processes which executes the clas- 
sic algorithm called the sieve of Eratosthenes for 

45 finding prime numbers will serve as an example of 
how system 101 may be used to reduce the size of 
a state space. FIG. 4 shows how system 401 
implements the algorithm. The system consists of 
five processes 403(0..4) plus a process (not shown) 

so for providing the integers 2-12 in order. The prime 
numbers (integers divisible only by themselves and 
1) in that sequence of integers are 2,3,5,7, and 11. 

System 401 works as follows: each process 
403 r ceiv s integers from the process on th I ft; 

55 each process stores the first integer it rec ives; 
from then on, it discards any integer which is 
divisible by its stor d integer and passes any in- 
teger which is not divisible to the right. As shown in 



4 



7 



EP 0 685 792 A1 



8 



the first row of FIG. 4, when the integer N = 2, 
none of the processes has a stored number, so 
process 403(0) stores the number in its local vari- 
able myval. The next number is 3. 3 is not divisible 
by 2, so as shown in the second row, process 403- 
(0) passes 3 to process 403(1). This is the first 
value process 403(1) has received, so it stores the 
value in its local variable myval. The next number 
is 4. What happens with it is also shown in row 2. 4 
is divisible by 2, so process 403(0) discards the 
value. The third row shows what happens when N 
= 5. 5 is not divisible by 2, so process 403(0) 
passes it to process 403(1); 5 is also not divisible 
by 3, so process 403(1) passes it to process 403- 
(2), which stores it. The remaining integers through 
12 are treated in the same fashion. At that point, 
each process 403 has stored one of the prime 
numbers in the sequence 2-12. 

As mentioned above, the system descriptions 
103 used in a preferred embodiment are written in 
PROMELA. FIG. 5 shows a PROMELA description 
501 for system 401. The description has four major 
components: init 509, right 507, middle 505, and 
left 503. Components 503 through 507 represent 
processes in system 401; left 503 is the process 
which provides the integers in increasing order; it 
has a single channel which outputs a value to 
process 403(0). middle 505 represents the pro- 
cesses 403 which receive values from the left and 
discard them or pass them to the right; each of 
these processes has two channels, one to its 
neighbor on the left and one to its neighbor on the 
right, right 507 represents the rightmost process 
403. It has a single channel to its neighbor on the 
left. 

init first creates and runs the process de- 
scribed by left 503; then init creates and runs 
processes described by middle 507 up to a maxi- 
mum number established by a parameter N. In 
FIG. 4, these are the processes 403(0..3). Finally, it 
creates and runs the process described by right 
507, process 403(4) in FIG. 4. In creating the 
processes 403, init sets up the channels for each 
process as described above. 

As shown at 505, each middle process 403 
stores the first value it receives. With each addi- 
tional value, it divides the value by the stored 
value. If the division is even, the value is discarded; 
otherwise, it is passed to the right. As shown at 
507, the right process simply stores the first value 
it receives and discards the rest. 

The transitions of system 401 with which the 
example is primarily concerned are 

• incrementing counter, 

• receipt of a value from the left. 

• sending a value to th right, 

• t sting the r suit of the division operation, 
and 



• comparing the current value of counter with 
the maximum allowed value of the counter. 
As will be explained in more detail later, all of the 
above transitions but those involving sending and 

s receiving are local, in that the occurrence of the 
transition in one of the processes 403 has no effect 
on the other processes 403. With local transitions, 
it makes no difference whether one of the pro- 
cesses 403 performs a given local transition before 

io or after another process 403. As will again be 
explained in more detail later, the local transitions 
are all unconditionally safe. 

The transitions involving sending and receiving 
are conditionally safe, but in system 401 , the con- 

15 ditions are always satisfied, and these transitions, 
too, are always safe. Since all of the transitions are 
always safe, that is the case, the state space can 
be reduced to the number of states required for 
each process 403 in turn to receive its first value, 

20 divide the next value by the first value from the left, 
and do nothing if the result is 0 and otherwise send 
the next value. 

FIG. 6 shows the results of the reduction. State 
space 601 is the states and transitions made by a 

25 version of system 401 which has three middle 
processes 403 and finds the primes through 5. 
States which remain in the reduced state space are 
shown as square nodes 605, while states which are 
not part of the reduced state space are shown as 

30 round nodes 603. FIG. 8 shows a detail of area 609 
of FIG. 6. Each node 121 has been labelled with a 
name (s1-1, s2-1, etc.) and each transition 123 has 
been labelled to indicate what part of the state of 
system 401 is affected by it. With transitions 801- 

35 805, there is only one transition 123 per node, and 
consequently, no state reduction is possible. With 
node s4_1, there are two transitions 123. Both are 
unconditionally safe ad each transition involves a 
change of state in a different process 403. Con- 

40 sequently, each of the transitions is a bundle con- 
sisting of one transition and only one of the bun- 
dles needs needs to be included in the state 
space. Verifier 111 choses the bundle containing 
transition 809, and nodes 121 reachable by transi- 

45 tion 807 need not be included in reduced state 
space 119. 

Generalizing the Technique 

so As described above, the only characteristic of a 
transition 123 which is taken into acount in deter- 
mining whether a bundle is unconditionally safe, 
conditionally safe, or unsafe is the saf n ss class 
of the transition. That is sufficient to v rify som 

55 specific safety properties of the system of descrip- 
tion 103, for example, that the system will not 
deadlock. Howev r, in order for th techniqu of 
the invention to be able to generally verify safety 
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and liven ss properties, three conditions must be 
met by all of the transitions in a bundle of transi- 
tions before the bundle is used to the exclusion of 
other bundles to gen rate reduced stat space 
119. The conditions may be described a follows: 

Consider the set T of transitions of the pro- 
gram. For each program state S, Split that set into 
three disjoint subsets: 

• Dis(S) (from Disabled, these are the transi- 
tions that cannot be executed from S). 

• Sel(S) (from Selected, these are the enabled 
transitions that are selected by the reduction 
algorithm). 

• Ign(S) (from Ignored, these transitions are 
enabled from S, but are not selected). 

It is sufficient for the preservation of liveness and 
safety properties if the depth-first search explores 
only the transitions in set Sel(S), provided that the 
following three conditions are satisfied. 

CI: No execution sequence starting from S 
can exist in which a transition that 

— is outside set Sel(S) and that 

— is dependent on at least one tran- 
sition in Sel(S) becomes enabled 
without at least one transition from 
set Sel(S) having being executed 
first in that sequence. 

C2: If Ign(S) is non-empty then no transition 

in Sel(S) can close a directed cycle. 
C3: The execution of none of the transitions 
in set Sel(S) touches an object that is 
visible to the property being checked. 
Condition CI is a generalization of the requirement 
that all transitions in a bundle of transitions which 
are used to construct reduced state space 119 
must be either unconditionally safe or conditionally 
safe. Condition C2 requires that no transition in the 
bundle return to a state 121 which is already in 
reduced state space 119 and which verifier 111 has 
not yet finished expanding, thereby forming a di- 
rected cycle in reduced state space 119. Condition 
C3 requires that one transition in the bundle may 
not alter a value which is mentioned in the property 
107 being checked. All of these conditions are 
explored more rigorously in the following "Detailed 
Explanation". 

Detailed Explanation of the Technique: FIGS. 9- 
11 

The following explanation first presents a theo- 
retical justification for the technique and then 
presents details of the technique. The technique 
applies generally to any problem which can be 
formalized as a reachability analysis problem in a 
finite lab I d transition system (LTS). This specifi- 
cally includes th problems of proving safety, live- 
ness, and linear time temporal logic properties for 



any finite stat concurrent system. 

An LTS is defined as a triple {$,$o,7} f where S 
is a finite set of states. So is a distinguished initial 
stat in S, and T is a finite set of transitions, with 

s TC(SxS). In a simple form, an LTS can be used to 
formalize the behavior of a single sequential pro- 
cess. It can also formalize the combined behavior 
of a finite number of interacting and asynchro- 
nously executing sequential processes. Each tran- 

70 sition of the LTS then corresponds to the execution 
of a specific atomic statement within one of the 
processes, in accordance with a standard interleav- 
ing semantics of concurrency. The LTS can be 
represented by a graph with nodes corresponding 

15 to the states in S and directed edges correspond- 
ing to the transitions in T. A connected path 
through this graph then defines the effects of a 
possible execution in the underlying concurrent 
system. There will be at least one path through the 

20 graph for every possible way in which the execu- 
tion of process statements could be interleaved in 
time. 

Given a transition fe7 in an LTS, we will use 
the notation Label{t) to refer to the process state- 

25 ment that is represented by transition f, and we will 
use Pid{f) to refer to the sequential process that 
contains the statement Label{t). Without loss of 
generality, we assume that the mapping from tran- 
sitions to process statements is unique. The re- 

30 verse mapping will, in general, not be unique. 

The semantics of a statement a~Label(f) are 
defined by two functions Cond and Act, where 

Cond(a) is the subset of S where a is enabled 
(or 'executable 1 [H92]) ( and 

35 Act{a,$) is that state of S that is reached when 
a is executed in a given seCond(a). 

Normally, a statement in a sequential process 
is 'enabled 1 or 'executable* only if it is pointed to 
by the current program counter of the sequential 

40 process that contains that statement. In a concur- 
rent system, however, we can define additional 
constraints on the enabledness or executability of 
statements. A message send operation, for in- 
stance, can be defined to be enabled only if also 

45 the destination message buffer is non-full, and a 
message receive operation can be defined to be 
enabled when also the source message buffer is 
non-empty. 

Two statements a and b are defined to be 
so independent at state seS, written as {a,b}elnd(s), 
if and only if the following five conditions are met: 

(1) seCond(a), i.e., statement a is enabled in s, 

(2) seCond(b), i.e., statement b is enabled in s, 

(3) Act(a,s)eCond{b) t i.e., the execution of a 
55 cannot disable b, 

(4) Acf(6,s)eCo/itf(a), i.e., the execution of b 
cannot disabl a, 
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(5) Act(bAct(a,s)) = Act(a,Act(b,s)) t i.e., the ef- 
fect of executing a followed by b is indistin- 
guishable from that of executing b followed by 
a. 

Note that two statements from the same se- 
quential process, i.e., with Pid(a) = Pid(6), can not 
be independent. If the two statements are executed 
sequentially, they cannot be simultaneously en- 
abled. If they appear together in a single selection, 
the execution of either one statement will disable 
the other. Two statements from distinct sequential 
processes can be independent under certain con- 
ditions. Two send operations on distinct message 
queues will in general be independent, but two 
send operations on the same message queue will 
not. The send operation that executes first may 
disable the second if its message fills the queue to 
capacity, which violates requirements (3) and (4). In 
addition, the order in which the two statements are 
executed can be distinguished by the order in 
which the messages appear in the destination 
queue, which violates requirement (5). 

Statements a and b are defined to be globally 
Independent if and only if they are independent in 
every possible state where they are simultaneously 
enabled: 

(6) se(Cond(a)nCond(b)) - {a,b}elnd(s). 

Note that a and b are trivially globally indepen- 
dent when Cond(a)r\Cond(b)-0. Two assignment 
statements from two distinct sequential processes, 
i.e., Pid(a)+Pid{b), that access only local variables 
within each process, will in general also be globally 
independent. 

Because it is known that both safety and live- 
ness properties can be expressed by next-time- 
free linear-time temporal logic (LTL) formulae, we 
will focus on a method for proving the satisfiability 
of LTL formulae. The LTL formulae we consider 
may contain boolean propositions on system- 
states, the boolean operators A, V, ! (not), and the 
temporal operators □ (always), 0 (eventually), and 
U (until), but not the temporal operator O (next- 
time). 

VVolper showed in Wolper, et aL, "Reasoning 
about infinite computation paths", Proceedings of 
24th IEEE Symposium on the Foundations of Com- 
puter Science, Tuscan, 1983, pp. 185-194, that any 
next-time-free LTL, formula can be formalized as a 
nondeterministic Buechi Automaton with a predefin- 
ed initial state, and a finite set of acceptance 
states. The transitions in the Buechi Automaton 
carry predicate labels, each of which represents a 
boolean proposition. In our case, the bool an pro- 
positions can refer only to the (global) system-state 
of the labeled transition system for which the LTL 
formula formalizes a property. Th Bu chi Automa- 
ton itself can be represented by an LTS with 
predefined acceptance states. The satisfaction of 



an LTL formula can now be proven by d tecting 
acceptance cycles in the synchronous product of 
two labeled transition systems: one representing 
the concurrent system and one representing the 

5 Buechi Automaton. The absence of acceptance cy- 
cles can similarly prove that the LTL formula can- 
not be satisfied. 

The synchronous product Fx G of a labeled 
transition system F, representing a concurrent sys- 

10 tern, and a Buechi Automaton G, derived from a 
next-time-free LTL formula, is defined as follows. 
Let F=(S Fl f 0 J F ) and G = (SG,g 0 ,T G ). E ach state of 
the synchronous product Fx G is a pair (f,g), with 
feSf and ge$& Each transition, similarly, is a pair 

J5 (v,tv), with veTp and wef G . We define the LTS for 
the synchronous product FxG recursively as fol- 
lows. The initial state of FxG is (/b,#>). For each 
state (f,g) there is a successor state {h,k) t reacha- 
ble via transition (v,w), if and only if: 

20 (1) v = (/,/))€ 7>, i.e., h is a successor of f via v 
in F, 

(2) w=(g,K)eT Gt i.e., k is a successor of g via w 
in G, and 

(3) The boolean proposition defined by Label(w) 
25 is true in state fe$?. 

A statement a in F is said to be observable 
by Buechi Automaton G if there exists a label in G 
for which the corresponding proposition can have a 
different truth-value in at least one system-state 
30 seCond(a) and in Act{a t s). The statement a can 
now be said to be 

• Safe if a is non-observable to G and globally 
independent from every b with Pid(a)+Pid(b) t 
and 

35 • Conditionally Safe for condition P(s), if a is 
safe in every state s where P(s) holds. 
The reduction algorithm that we will describe in 
the next section relies on the fact that the safety or 
conditional safety of statements can in many cases 
40 be determined statically. 

REDUCTION ALGORITHM 

We first consider the standard depth-first 
45 search algorithm that implements the generation of 
the labeled transition system F from a specification 
of a concurrent system. We then consider how this 
search can be extended to generate the synchro- 
nous product FxG, where G is a Buechi Automaton 
so that encodes an LTL formula, and to detect the 
existence of acceptance cycles in that product. 

The initialization 901 of the search is illustrated 
in Figure 9. First, the basic transition structure of 
the concurrent system is obtained and optimized. 
55 The optimization step, can, as we shall argue, also 
include a precomputation of independence rela- 
tions, with a static identification of all safe and 
conditionally safe process-statements. Two sets of 



7 



13 



EP 0 685 792 A1 



14 



states are then initialized with the predefined initial 
system state s 0 : the Statespace and the Stack. 
The search begins with a call of the depth-first 
search routine, Df$Q t with parameter 1. The rel- 
evance of the parameter will become clear shortly. 
Figure 10 first shows the expansion step for pro- 
cess statements, in routine dfsQ (note: not the 
routine from line 5). In the absence of a Buechi 
Automaton, the calls on lines 5 and 16 could both 
be implemented as calls on dfs(N). 

In the general version of the verification al- 
gorithm, however, the calls on lines 5 and 16 
invoke the routine shown in Figure 1 1 , which imple- 
ments the expansion step for the transitions in the 
Buechi Automaton. The state of the Buechi Au- 
tomaton is part of compound system state s. Be- 
cause the transitions in the Buechi Automaton re- 
present boolean propositions from an underlying 
LTL formula, a transition teT Q in B chi Automaton 
G will only be enabled if and only if proposition 
Label(t) holds. The synchronous coupling of sys- 
tem F and Buechi Automaton G is achieved by 
alternating the calls to Dfs(N), on line 16, and dfs- 
(N) on line 28. Each pair of subsequent calls, 
explores one synchronous transition of Fx G. 

Figure 1 1 shows only the basic expansion step 
without the extra hooks that are required to detect 
the presence of acceptance cycles in the synchro- 
nous product of concurrent system and Buechi 
Automaton. To enable also the detection of accep- 
tacce cycles, we can check for every reachable 
acceptance state in G if that state is also reachable 
from itself. We do so with a second depth-first 
search, in post-order, in a separate state space. 
Two separate values for parameter N serve to 
indicate in which part of the search the algorithm 
operates. To initiate the second search, we include 
four extra lines between lines 28 and 29 of Figure 
11, as illustrated in Figure 12. If the seed state is 
reachable from itself this can be detected and 
reported at line 24, as illustrated by lines 24a-d in 
Figure 12. 

A description, and correctness proof, for this 
method of cycle detection was given in [CVWY92]. 
The algorithm generates at least one example of an 
acceptance cycle, if one or more such cycles exist. 
It is not guaranteed to generate all such cycles. If, 
however, the Buechi Automaton is used to formal- 
ize an undesirable behavior, i.e., the violation of a 
correctness requirement, a proof of either the exis- 
tence or the absence of acceptance cycles that 
satisfy the claim is always sufficient for a conclu- 
sive verification result. 

Note that wh n the exist nee of an acc ptanc 
cycle is discovered, its complete traversal is con- 
tained in the Stack, and can be generated as a 
counter-example to th correctness claim. 



Static Reduction 

To implement a static reduction technique, it 
suffices to modify only the algorithm from Figure 

5 10, since the safety of transitions applies only to 
the transitions in the sequential processes, not to 
those of the Buechi Automaton. The change is 
illustrated in Figure 13. The aim of the reduction 
method is to find the smallest set of transitions that 

70 will suffice to perform the expansion (given that we 
want to preserve both safety and liveness prop- 
erties). Clearly, the expansion cannot be complete 
unless for every transition selected, we also select 
all those simultaneously enabled transitions that 

75 that are not independent from it. This means that if 
we select a, we must minimally also select all 
simultaneously enabled transitions b with Pid(b)- 
-Pid(a) (cf. line 10 in Figure 13). 

In the static reduction method we try to identify 

20 at least one process that can execute only safe, or 
conditionally safe, transitions. Such a process can 
be found by a prescan of the processes. In Figure 
13, this critical step is performed on line 8a and is 
used to re-order the processes in such a way that 

25 processes that perform only (conditionally) safe 
transitions can be selected first for the expansion 
step on line 9. If the expansion succeeded (more 
about this below) we can ignore the (independent) 
transitions from all other processes by breaking out 

30 of the loop over processes on line 16f. The order- 
ing step itself introduces virtually no runtime over- 
head. In the implementation discussed in Section 
5, for instance, it is implemented by a table-lookup 
for unconditionally safe transitions, and by the eval- 

35 uation of a precomputed boolean condition for con- 
ditionally safe transitions. 

A check is added on lines 16a-b, to see if the 
last transition explored returned the search to a 
state s' that is already contained in the search 

40 stack or not. If there is at least one such transition, 
the value of a local boolean variable NotlnStack is 
set to false. Once all transitions of the process 
have been explored, the values of NotlnStack and 
AtLeastOneSuccessor are inspected. The reduc- 
es tion attempt fails unless alt transitions explored for 
the current process have produced successor 
states that are currently not contained in Stack, If 
this requirement is not met, the algorithm will try to 
make another selection of transitions, by moving to 

so the next process in the outer for-loop. In the worst 
case, this will mean that the reduced expansion 
step will explore all enabled transitions, just as it 
did in Figure 10. 

The condition on line 16e that has to b fulfil- 

55 led for the reduction attempt to be consid red 
successful is known as the r ductl n pr vis . 
The n ed for such a proviso was first recognized 
by Valmari in [V90]. The version of the proviso 
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used here was first proposed in [P93]. A weaker 
version of the same test, for the preservation of 
safety properties only, was discussed in [HGP92]. 
In the next s ction we will show that the stronger 
proviso from [P93] guarantees the preservation of 
both safety and liveness properties. 

The tests on line 16a and 16e introduce virtu- 
ally no overhead to the algorithm. 

PROOF OF CORRECTNESS 

We will give the main proof argument that 
supports the correctness of the reduction algorithm. 
The remaining steps that are required for a rigor- 
ous proof are only briefly indicated. 

An execution sequence a of an LTS can be 
defined either as a sequence of transitions or as 
the sequence of states that is traversed by these 
transitions. Let Eq(a) be the set of all execution 
sequences that can be obtained from o by zero or 
more permutations of adjacent, globally indepen- 
dent, transitions. For each sequence in this set we 
can define the distance to a as the smallest num- 
ber of permutations that must be performed to 
retrieve a. (This distance can be either finite or 
infinite.) 

Any sequence p that equals a finite prefix of at 
least one sequence in Eq{a) is called a permutat- 
ed prefix of a. Set FP{p,o) be the set of sequences 
in Eq(a) that contain p as a prefix. Let PP'(p.o) 
further be the subset of those sequences in PP(p.o) 
that have the shortest distance to o. Note that the 
sequences in this set differ from a in tat most a 
prefix of finite length. For each such j sequence, 
therefore, we can define a finite prefix p\ such that 
the remainder of the sequence (after trie Seletion 
of p) equals o. This prefix, which can be longer 
than p, is called the minimal stable extension of 
p in a. • 

A generalized permuted prefix p of an ex- 
ecution sequence a is finite execution sequence 
that can be transformed into a permuted prefix of a 
by omitting zero or more non-observable transi- 
tions. 

To prove the correctness of the reduced 
search algorithm, we first prove the following 
Lemma. 

Lemma - At each state that is reached during 
the search, the reduced search algorithm generates 
at least one generalized permuted prefix p for 
every execution sequence a that can start from that 
state. □ 

Proof - The proof is by induction on th order 
in which stat s are remov d from th depth-first 
stack in the reduced search algorithm. 

[1.] For the induction basis, consider the first 
state that is removed from th stack in the 
reduced search algorithm. There are two cases 



to consider, depending on the number of n- 
abled transitions in that state. 

11.1-1 The state has no enabled transitions, 
and thus no successor states. In this case 

5 there exist no further executions from this 

state, and the Lemma holds. 
[1.2.] The state has enabled transitions. All 
these transitions must have returned the 
search to previously visited states: they can- 

w not be new states because such states would 

have been removed from the stack before the 
current one. Since no states were previously 
removed from the stack, all previously visited 
states are still contained in the stack. The 

75 reduction proviso from the reduced search 

algorithm will in this case force a complete 
exploration of all enabled transitions from this 
state {line 16a, Figure 13). This set includes 
the first transition a from a. This transition a 

20 is a generalized permuted prefix of length 

one. The Lemma therefore holds for this 
case. 

[2J Next, we must show that if the Lemma holds 

for the first N states that are removed from the 
25 stack, it necessarily also holds for the (N + 1)-th 

state. Let s be that state. There are again two 

cases to consider. 

[2.1 .] The set of enabled transitions in s does 
not contain a true subset of (conditionally) 
30 safe transitions that includes all the enabled 

transitions for one sequential process, and 
none of which leads to a successor state on 
the stack. In this case, the reduced search 
algorithm explores all enabled transitions 
35 from s and the Lemma holds by the same 

construction as was used in the proof of step 
[1.2]. 

[2.2J The set of enabled transitions in $ does 
contain a true subset of (conditionally) safe 
40 transitions that includes alt enabled transi- 

tions for one sequential process, and none of 
which leads to a successor state on the 
stack. Call that subset x, and call the (non- 
empty) set of all remaining transitions y. The 
45 reduced search algorithm explores only the 

sequences that start with a transition from x. 

First note that any transition in x forms a 
generalized permuted prefix of length one for 
o. That is: each such transition either appears 
so in o after a finite number of globally indepen- 

dent transitions, or it does not appear in o 
and is globally independent of all transitions 
that do app ar. 

Th re are two cases to consid r. 
55 [2.2.1. ] If a starts with a transition from x, 

the Lemma again holds. 
[2.2.2.] Next, consider th case where a 
starts from state $ with a transition from y 
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and reaches successor state $'. We distin- 
guish two further sub-cases. 

[2.2.2.1. ] First, consider the case where 
o starts with a transition from y and 
where that transition is globally inde- 
pendent of all transitions in a. In this 
case, none of the transitions in a can 
have been disabled by the execution of 
the globally independent transition from 
y, and the transition itself forms a gen- 
eralized permuted prefix of length one. 
The transition from y is now itself a 
non-observable transition that could be 
deleted from generalized permuted pre- 
fix to obtain the (empty) permuted pre- 
fix of a. The Lemma therefore holds for 
this case. 

[2.2.2.2.] Next, consider the case where 
a starts with a transition from y and 
where that transition is not globally in- 
dependent of all transitions in a. Let a 
be the first transition in o, and b a 
transition from the chosen set x that 
appears also in a. (The case where b 
does not appear in a was already cov- 
ered in the second half of proof step 
[2.2.].) Call s' the state that is reached 
after the execution of b. We can now 
find a minimal stable extension of b in 
a, as defined above, which includes all 
the occurrences of transitions in the 
prefix of a that ends at the first occur- 
rence of b. Call that prefix p. Further, 
call a the suffix of a that follows first 
occurrence of b. Then the sequence 
p.o f is equal to a copy of a from which 
this first occurrence of b is deleted. The 
prefix p is then a generalized permuted 
prefix of the sequence p.o' that starts at 
state s'. But then, the prefix b.p must 
be a generalized permuted prefix of a, 
which starts at state s, which means 
that the Lemma also holds for this case. 
This completes the proof of the 
Lemma. □ 

The Lemma can be shown to imply that for 
every execution sequence o, the reduced search 
algorithm explores at least one execution sequence 
that becomes equivalent to a when a finite number 
of non-observable transitions are deleted from it. 
(This proof step is not detailed here.) Next we must 
show that this property is sufficient for the com- 
pleteness of the search itself. To do this, we must 
take a closer look at th synchronous product of a 
concurrent system and a Buechi Automaton. 

Given a concurrent system C and a Buechi 
Automaton Af, w can construct an ord red s t of 
pr dicates P{M) with on predicate for each bool- 



ean proposition on th states of C that appears in 
M. For each reachable system state of C, each 
pr dicate in P(M) then uniqu ly defines a boolean 
value, and th set P(M) similarly defines a unique 

s vector of boolean values. For given P(M), an execu- 
tion sequence of C corresponds to a sequence of 
boolean value vectors. Call that sequence 'the vec- 
tor-sequence induced by W.' 

We define two execution sequences to be M- 

io equivalent, for given Buechi Automaton M, if 
and only if the corresponding vector- se- 
quences induced by M are equal up to stutter- 
ing, i.e., if the two sequences are equal when 
each series of two or more consecutive occur - 

15 rences of the same value vector v is replaced 
by a single occurrence of v. 

The Lemma implies that the reduced search 
algorithm generates at least one M- equivalent 
sequence for each execution sequence of the 

20 concurrent system. The intuition for this is that 
all non- observable transitions correspond to 
stuttering steps. (This proof step is not further 
detailed here.) The correctness of the reduced 
search algorithm can now be formalized in the 

25 following theorem. 

Theorem - // there exist acceptance cycles 
in the synchronous product of a Buechi Au- 
tomaton and a concurrent system, the reduced 
search algorithm will detect at least one of 

30 these cycles. □ 

Proof - by the Lemma and the fact that the set 
of sequences satisfying a next-time-free LTL for- 
mula is closed under stuttering [L83]. The reduced 
search generates at least one M-equivalent se- 

35 quence for each complete sequence that satisfies 
the LTL formula. Ail sequences that satisfy the LTL 
formula are detected in the non-reduced depth-first 
search as acceptance cycles in the synchronous 
product of the corresponding Buechi Automaton 

40 and the concurrent system (e.g., [W83][CVWY92]- 
[H92]). Therefore, if at least one M-equivalent se- 
quence for such a satisfying sequence is generated 
in the reduced search, at least one acceptance 
cycle is necessarily detected. □ 

45 

IMPLEMENTATION 

For a sample implementation of the static re- 
duction technique in the verification system SPIN 
so and its specification language PROMELA [H92], we 
identified five types of statements that can be 
marked statically as unconditionally safe when they 
appear separately, and conditionally safe when 
they appear as guards in s I ction structur s. 
55 1 . Any access to exclusively local variables. Any 
atomic process-statement that reads or writes 
exclusiv ly obj cts that ar non-observabl to 
other proc sses, is also non-observable to th 
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PROMELA never claim (which formalizes the 
Buechi Automaton). 

2. Any receive operation on a message queue q, 
provided that no more than on process can 
either receive messages from q or test the con- 
tents or length of q. We mark such a queue with 
a special status: exclusive receive- access. 
Exclusive receive-access implies that a never 
claim contains no propositions on the contents 
of q. 

3. Any send operation on a message queue q, 
provided that no more than one process can 
send messages to q, or test the contents or 
length of q. We say that such a queue has 
exclusive send- access. Exclusive send-ac- 
cess implies that a never claim contains no 
propositions on the contents of q. 

4. The boolean test nfull{q), that returns true 
when message queue q is currently non-full, and 
false otherwise, provided that the statement is 
performed by a process that has exclusive 
send-access to that queue. 

5. The boolean test nempty(q), that returns true 
when message queue q is currently non-empty, 
and false otherwise, provided that the statement 
is performed by a process that has exclusive 
receive-access from that queue. 

The statements of types (1)-(5) are condition- 
ally safe if they do appear as guards in selection 
structures. The condition for the conditionally safe 
statements is defined as the logical and combina- 
tion of the following clauses for each type of guard: 
(1) true (i.e., these statements contribute no addi- 
tional constraints), (2) and (5) nempty(q) t and (3) 
and (4) nfull(q). Note that statements of type (2-5) 
can only contribute constraints of two statically 
determined types. ■ 

We extended the PROMELA grammar with the 
two new primitives nfullQ and nemptyQ, referred to 
in (4) and (5). A simple grammar rule in the parser 
prevents attempts to include negations of these two 
tests. 

The observability of the effect of statements to 
the propositions of the Buechi Automaton (i.e., the 
PROMELA never claim) is already guaranteed by 
the scope rules of PROMELA: in the absence of 
remote referencing, the never claim can only refer 
to global objects in the specification. All safe and 
conditionally safe operations are therefore neces- 
sarily non-observable to the claim. Any reference 
to a queue, for instance, breaks the exclusive ac- 
cess status of that queue, and automatically marks 
the send or receive operations as observable, and 
therefor non-saf . 

Because PROMELA allows the dynamic cre- 
ation of a finite number of processes, it is not 
always possible to determine a priori which pro- 
cesses will b able to access which queues. Exclu- 



sive s nd and receive access, in our implementa- 
tion, is therefore entered into the PROMELA speci- 
fication as a logical assertion, which can be 
checked at runtime. Th Appendix shows an exam- 

5 pie of a complete PROMELA specification for a 
leader election protocol from [DKR82], with the 
exclusive send and receive assertions added. It can 
easily be shown that the validity of an assertion of 
this type can be proven by both the non-reduced 

w and the reduced search, even when the reduction 
is based on an invalid assertion of this type. The 
intuition behind this is that the reduced search can 
only permute globally independent statements, it 
cannot prevent their execution altogether. There- 

75 fore, at least one send or receive operation that 
violates an exclusive access assertion will even- 
tually be executed in the reduced search, though 
perhaps at a different place then in the non-re- 
duced search. There is, of course, also the pos- 

20 sibility that the reduced search is stopped on the 
detection of an acceptance cycle before the viola- 
tion of an exclusive access assertion can be dem- 
onstrated. In that case, however, the search has 
already reached its goal: it has detected the exis- 
ts tence of at least one error (i.e., an acceptance 
cycle). If the violation of an exclusive access asser- 
tion can be demonstrated first, our implementation 
also reports an error (i.e., an assertion violation), 
which in that case means that the reduction itself 

30 was invalid. 

For the correctness of the reduction algorithm 
itself it must be demonstrated that if there exist one 
or more acceptance cycles in FxG, the reduced 
search algorithm will always report at least one of 

35 them. The proof of this property is given in [P94]. 
Note that it is not guaranteed, neither for the re- 
duced nor for the standard algorithm, that all ac- 
ceptance cycles will be reported. 

40 Conclusion 

The foregoing Detailed Description has disclosed 
to those of ordinary skill in the system verification 
arts how the state space required to verify liveness 

45 and/or safety may be reduced using statically avail- 
able information. While the Detailed Description 
has disclosed the best mode presently known to 
the inventors of practicing the principles of the 
invention, it will be immediately apparent that many 

so other implementations which employ the principles 
of the invention are possible. That being the case, 
the foregoing Detailed Description is to be re- 
garded as being in all respects illustrative and 
exemplary, and not restrictive, and th scop of th 

55 inventions disclosed herein is to be determined 
solely by the claims as interpr ted with the full 
br adth permitted by the patent laws. 
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/ Claims 

1. A method of verifying that a system has either 
a safety prop rty or a liveness property com- 
prising the steps of: 5 

using statically-available information to re- 
duce a state space describing the system to a 
subset thereof which still provably permits ver- 
ification of the safety or liveness property; and 

using the subset of the state space to io 
verify the safety or liveness property. 
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/dtffiwlt 5 
fdofino P 12 
f dofmo L 1 

char in] r [L] of {byte); 

pndyps left (chon out) 
I bytf eeunir; 



n out; 



/• Numb* of Proc ♦/ 
/• Kumbon to chide •/ 
/• Szo of buff* qu«M V 

/• Wttnost procos •/ 



countv = countor + 1; 

rf 

:: countr > P -> break 
:: counter <= P 

fl 



od 



prodypf iradolt (chon in, cut; byto procnurn) 
{ byto (iryvoi, noxtvoj; 



/• go) fir* vah« horn tht toft •/ 
/• upon rtaipt of a ntv voiua */ 



a out; 
xr is; 
inTittyvoi; 
do 

" to? nntvoi; 
if 

= nntvoi X mpd 1= 0 -> outinutai 

/• stnd number right if no dmtor found V 
z nixtvd X mpd — Q 

n 

od 
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prodypo right (chon In) /* rightmost choroid •/ 

1 k*r - - 



xr in; 

in/biggo* 
do 

:: in?ntxt 
od 



/• ignort next whits •/ 



507 



irut ( 



b|t» 

atomic { 



run loft { o$| k 
do 

- proc < N -> brKk 509 
run middlo ( q[proc-t] , q[procJ, proc ); 
proc = proc+1 

:: proc == N -> brook 

ed; 

run right ( q[N-t] ) 
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FIG. 8 



S1-1 



801 



(RUN RIGHT(Q[(3-1)])) 



S2-1 



803 



609 



COUNTER =2 



S3-1 
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COUNTER' (COUNTER -M) 
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OimCOUNTER 
(N7MYVAL 
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S! 
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26 
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28a 
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29 

30 

31 



W*.(H) 

{ s = top (Stack); 
nxt = all transitions in G enabled in s; /* the 8 chi Automaton ♦/ 
for all t in nxt j 
{ s' = successor of s after t; 
if N == 2 and s' == seed 
| report cccflptcmcft cyd& 
return 

if \z\H\ NOT in Stotespace 

{ enter {s'.Nj into Stotespace; 

ptub onto stack; 

dft(N)r 

if N — 1 and s is an accepffna; statt iir 6 
{ seed = s 
^ dfs (2) 



I I 
pop s from Stack 
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FIG. 9 

2 { derive ond optimizB transition structures 

3 enter s 0 into Stotespoce; 
4- push s 0 onto Stock; 

5 Dfs(l); /♦ see Figure 1c ♦/ 



FIG, 10 

7 dfs(N) 

8 | s = top (Stack); 

9 for each sequential process i 

10 { nxr = ail transitions in F enabled in s with Pid(»)=i 

1 1 for atl t in nxt 

12 j 5' = successor of s after i; 

13 if ,N| NOT in Statespace 

u j enter M into Statespace; 

15 push s'onto Stack; 

16 Dfs(N); 

\l 1 1 1 

io pop s from Stock 

19 } 



FIG. 11 

20 Ofs (N) 

2t | 3 - top (Stack); 

22 nxf r alt transitfaiw in C enabled in s; /* the B chi Automaton 

23 for atl r irr m* 

24 j * r successor of s after t; 

25 if js'.Nj NOT into Statespace; 

26 { enter js'.N} into Statespace; 

27 push s'onto Stock; 

28 dfs (N); 

29 j j 

30 pop s from Stock 

31 i 
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FIG* 13 

7 Dfs (N) 

8 | s = top (Stack); 



8a Re-order processes; 

9 for each sequental process i 
9g I booteotr Proviso - true 

10 rut = all transitions in F enabled in s with Pid(t)=i 

11 for alt tin nxt 

12 { s'= successor of s after t; 

13 if j s ;N| NOT in Statespace 

U | enter js'.Nj into Statespace; 

15 push s' onto Stock; 

16 Ofs(N) 

16a } else if s'in Stack /* reduction proviso ♦/ 

16b Proviso = false 

16c \ 

16d if Proviso = true 

|6e break /• from the loop over processes •/ 

18 pop s from Stack 
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